OctoPrint Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
Description
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if they come from networks that are not configured as localNetworks, spoofing their IP via the X-Forwarded-For header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OctoPrintPyPI | < 1.10.1 | 1.10.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-2vjq-hg5w-5gm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32977ghsaADVISORY
- github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4ghsax_refsource_MISCWEB
- github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-237.yamlghsaWEB
News mentions
0No linked articles in our index yet.